07 Apr, 2023

Remote Desktop Protocol (RDP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft that enables remote access to desktops, applications, and resources on a remote computer over a network connection. RDP is primarily used for remote administration and remote assistance purposes, allowing administrators and support staff to remotely manage and troubleshoot computers and applications.

RDP common ports

In addition to port 3389, the following ports may also be used by RDP:

  • TCP 3388: This port is used by RDP in a load-balanced environment where multiple servers are providing remote desktop services.

  • TCP 3387: This port is used by RDP for a secondary listening port in case the primary listening port (3389) is unavailable.

  • TCP 3390: This port is sometimes used as an alternate port for RDP in some VPN configurations.

Standard  commands from unauthorised

Windows – mstsc /v:54.208.6.83:3389

Linux – rdesktop IPAddress

auxiliary/scanner/rdp/rdp_scanner

Recon or Non Standard command

nmap -p3389 –script rdp-enum-encryption 10.0.0.4

(Version 5.2 of the RDP in its default configuration is vulnerable to a mitm)

nmap -p 3389 –script rdp-ntlm-info <target>

Bruteforce connection

https://github.com/vanhauser-thc/thc-hydra

hydra -t 1 -V -f -l administrator -P wordlist.txt rdp://192.168.0.100

Run exploits

auxiliary/scanner/rdp/ms12_020_check (checked)

Tools for using protocol RDP

Manual Tools:

  • Microsoft Remote Desktop Connection Manager (RDCMan) – RDCMan is a popular manual tool used for managing multiple remote desktop connections. It allows you to view and control multiple remote desktop sessions from a single interface.

  • mstsc.exe – This is the default Remote Desktop Connection client application built into Windows. It allows you to connect to a remote Windows desktop or server.

  • Remote Desktop Manager – This is a third-party remote desktop connection management tool that allows you to manage and connect to multiple remote desktops from a single interface.

  • FreeRDP – This is an open-source implementation of the Remote Desktop Protocol (RDP) that allows you to connect to a remote Windows desktop or server from a Linux machine.

  • rdesktop – This is another open-source RDP client for Linux that allows you to connect to a remote Windows desktop or server.

Automated Tools:

  • Ncrack – Ncrack is a network authentication cracking tool that can be used to test RDP authentication. It supports RDP versions 4 and 5.

  • Hydra – Hydra is a network authentication cracking tool that supports RDP authentication. It can be used to test for weak passwords on RDP connections.

  • Medusa – Medusa is another network authentication cracking tool that supports RDP authentication. It is designed for parallel testing of multiple remote servers and services.

  • TSGrinder – TSGrinder is a tool specifically designed for brute-forcing RDP connections. It can test for weak passwords and attempt to gain access to remote systems.

  • RDPY – RDPY is an open-source RDP penetration testing tool that can be used to test RDP for vulnerabilities and security weaknesses.

  • RDPScan – RDPScan is a command-line tool that scans networks for open RDP servers. It can be used to identify potential targets for RDP testing and exploitation.

  • RDPTT – RDPTT (RDP Security Tool) is an RDP security testing tool that can be used to test for vulnerabilities and security weaknesses in RDP connections.

  • RDP-Check – RDP-Check is a tool for testing the security of RDP connections. It can be used to test for weak passwords, brute-force attacks, and other vulnerabilities.

  • RDPY-Tools – RDPY-Tools is a collection of RDP security testing tools that can be used to test RDP for vulnerabilities and security weaknesses.

  • RDPScanGUI – RDPScanGUI is a graphical user interface (GUI) tool for RDP scanning and testing. It allows you to easily scan networks for open RDP servers and test them for vulnerabilities.

Last five known CVE for RDP

 CVE-2023-20123: A vulnerability in the offline access mode of Cisco Duo Two-Factor Authentication for macOS and Duo Authentication for Windows Logon and RDP could allow an unauthenticated, physical attacker to replay valid user session credentials and gain unauthorized access to an affected macOS or Windows device. This vulnerability exists because session credentials do not properly expire. An attacker could exploit this vulnerability by replaying previously used multifactor authentication (MFA) codes to bypass MFA protection. A successful exploit could allow the attacker to gain unauthorized access to the affected device. 

• CVE-2022-24883: FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left. 

 CVE-2022-24882: FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds. 

 CVE-2022-23613:xrdp is an open source remote desktop protocol (RDP) server. In affected versions an integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is able to locally access a sesman server to execute code as root. This vulnerability has been patched in version 0.9.18.1 and above. Users are advised to upgrade. There are no known workarounds. 

 CVE-2022-23493: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function. There are no known workarounds for this issue. Users are advised to upgrade. 

Useful information

– Remote Desktop Connection: RDP uses the Remote Desktop Connection software, which is built into Windows operating systems, to establish remote connections between computers.

– Screen sharing: RDP allows users to share their desktop screen with others, making it useful for remote collaboration and support.

– Multi-user access: RDP enables multiple users to connect to and use the same remote desktop simultaneously, allowing for collaboration and remote support.

– Audio and video redirection: RDP allows for the redirection of audio and video resources from the remote desktop to the local computer.

– Encryption: RDP uses encryption to secure the remote desktop session and protect data from interception or tampering.

– Firewall rules: To allow inbound RDP connections, the Windows Firewall must be configured to allow traffic on port 3389 (or the configured RDP port) for both TCP and UDP traffic.

– Security risks: RDP can be vulnerable to security risks such as brute-force password attacks, man-in-the-middle attacks, and denial-of-service attacks. It’s important to properly secure RDP by using strong passwords, limiting access to authorized users and IP addresses, and using other security measures such as VPNs and two-factor authentication.

– RDP over VPN: Using a VPN to connect to RDP can provide an additional layer of security by encrypting all traffic between the local computer and the remote desktop or server.

– RDP alternatives: There are alternative remote desktop protocols and software available, such as VNC (Virtual Network Computing) and TeamViewer.

Known banners

“Remote Desktop Services” – This banner may appear during a port scan or vulnerability assessment, indicating that the target system has RDP enabled.

“MS Terminal Services” – This banner may appear in older versions of RDP, indicating the use of Microsoft Terminal Services.

“RDP-Tcp” – This banner may appear when viewing open network ports on a system, indicating the use of the RDP protocol.

“Microsoft RDP 5.2” – This banner may appear in older versions of RDP, indicating the use of Microsoft RDP version 5.2.

“Microsoft Terminal Services Client” – This banner may appear in the user agent string of an RDP client, indicating the use of Microsoft Terminal Services.

Books for studies the Remote Desktop Protocol (RDP)

“Remote Desktop Services for Windows Server 2008 R2: Designing and Deploying Virtual Desktops” by Greg Shields: This book covers the design and deployment of virtual desktops using Windows Server 2008 R2 Remote Desktop Services.

“Windows Server 2016 Remote Desktop Services: Deployment, Administration, and Troubleshooting” by Andrew Bettany and Aaron Parker: This book covers the deployment, administration, and troubleshooting of remote desktop services on Windows Server 2016.

“Mastering Windows Server 2012 R2” by Mark Minasi: This book covers a wide range of topics related to Windows Server 2012 R2, including remote desktop services.

“Remote Desktop Services: The Complete Guide to Understanding and Implementing Remote Desktop Services in Windows” by Eric Siron and Christa Anderson: This book provides a comprehensive guide to understanding and implementing remote desktop services in Windows, covering both design and deployment.

“Remote Desktop Protocol (RDP) Security: A Practical Guide for Securing RDP Network Resources” by Dr. Eric Cole: This book focuses specifically on the security of remote desktop protocol (RDP) and provides practical guidance for securing RDP network resources.

“Troubleshooting Remote Desktop Services Connections” by Shannon Fritz: This book focuses on troubleshooting remote desktop services connections on Windows Server.

“Remote Desktop Services (RDS) Installation and Configuration for the Windows Server 2012 R2 Environment” by Brian Svidergol and Neil Smyth: This book provides a step-by-step guide to installing and configuring remote desktop services on Windows Server 2012 R2.

“Pro Windows Server: Remote Desktop Services” by Todd Lammle and David R. Miller: This book covers remote desktop services on Windows Server, including installation, configuration, and administration.

“Remote Desktop Gateway (RD Gateway) 2012 R2: Installation, Configuration, and Troubleshooting” by Yury Magalif: This book focuses specifically on the installation, configuration, and troubleshooting of remote desktop gateway (RD Gateway) on Windows Server 2012 R2.

“RDP: Remote Desktop Protocol – Everything You Need to Know” by Gerardus Blokdyk: This book provides a comprehensive overview of remote desktop protocol (RDP) and covers topics such as security, performance, and configuration.

List of Payload for the Remote Desktop Protocol (RDP)

  • RDP credential brute forcing: This payload involves attempting to brute force the RDP login credentials, typically by running a script that tries various username and password combinations.

  • RDP exploit payloads: These are payloads that target known vulnerabilities in the RDP protocol, such as BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226).

  • RDP Man-in-the-Middle (MITM) payloads: These payloads involve intercepting and modifying RDP traffic between the client and server to steal data or perform other malicious activities.

  • RDP keylogging payloads: These payloads involve intercepting keystrokes made by the user during an RDP session, potentially capturing sensitive information such as passwords.

  • RDP remote code execution (RCE) payloads: These payloads involve exploiting vulnerabilities in the RDP service to execute arbitrary code on the target system, giving the attacker full control over the machine.

Mitigation

  1. Use complex passwords that are difficult to guess and ensure that they are changed regularly.

  2. NLA requires users to authenticate before establishing an RDP session, helping to prevent brute force attacks.

  3. Establish a VPN connection before connecting to RDP, as this adds an additional layer of security.

  4. Restrict RDP access to only those users who need it, and consider implementing an IP whitelist to further limit access.

  5. Ensure that the RDP service is up to date with the latest security patches to prevent exploitation of known vulnerabilities.

  6. Use a network monitoring tool to detect and alert on suspicious RDP activity, such as failed login attempts or repeated connections from the same IP address.

  7. Require users to provide a second factor of authentication, such as a token or biometric data, to access the RDP service.

  8. Consider using a dedicated server as a bastion host, which acts as an intermediary between the user and the RDP server, adding an extra layer of protection.

Conclusion

The Remote Desktop Protocol (RDP) is a popular protocol for remote access but presents significant security risks. To mitigate these risks, implement strong passwords, NLA, VPNs, access restrictions, regular patching, monitoring, MFA, and bastion hosts. Stay vigilant and up to date with the latest security trends and vulnerabilities to effectively secure RDP systems.

Other Services

Ready to secure?

Let's get in touch